Customer Due Diligence CDD
Stands for: Customer Due Diligence
The standard onboarding and monitoring process applied to normal-risk customers under AML rules.
Definition
**Customer Due Diligence (CDD)** is the baseline tier of customer scrutiny under FATF Recommendation 10. It covers four steps: identify the customer, verify the customer's identity using independent and reliable source documents, identify and verify the beneficial owner, and understand the purpose and intended nature of the business relationship. Ongoing monitoring of the relationship is the fifth, continuous step.\n\nCDD is the default. It is applied to every customer the regulated entity onboards, unless the customer qualifies for Simplified Due Diligence (SDD, low risk) or triggers Enhanced Due Diligence (EDD, high risk). The risk assessment underpinning that decision is itself a regulatory artefact: it must be documented, reviewed, and made available to the supervisor on request.\n\nThe CDD output is a customer file containing identity documents, ownership chart, expected transaction profile, source of funds statement, sanctions and PEP screening results, and the institution's own risk score for the customer. This file underpins ongoing monitoring throughout the relationship.
When you'll encounter it
You will encounter CDD anytime a regulated entity onboards you. For corporate customers it includes documentation of the legal entity, identification of every UBO at the 25 percent threshold (or lower in some jurisdictions), and confirmation that none of the parties appear on sanctions or politically exposed person lists.
Used in our guides
- Turkey Business Laws and Compliance: What Every Foreign Investor Must Know
- Opening a UK Business Bank Account: Requirements and Best Options
- UK Business Laws and Compliance: Companies House Filing Guide
- UAE Crypto and Virtual Asset Regulations: VARA Framework Explained
- UAE Business Laws and Compliance: Essential Guide for Foreign Companies
FAQ
When can simplified due diligence be applied?
SDD is permitted for low-risk relationships specifically identified by the supervisor or by the institution's own risk assessment. Typical examples are listed companies on regulated markets, public administrations, and certain regulated financial institutions in equivalent jurisdictions. SDD does not eliminate due diligence; it scales the depth and frequency.
What triggers a step-up to EDD?
Higher-risk indicators such as Politically Exposed Person status, customers from FATF-listed or EU-listed high-risk third countries, complex or unusual ownership structures, cash-intensive businesses, and certain product types including private banking, correspondent banking, and virtual assets.
How often must CDD be refreshed?
There is no fixed period in FATF rules; it is risk-based. Common practice is annual review for medium-risk customers, every two to three years for low-risk, and continuous review for high-risk. Material changes in ownership, business model, or sanctions exposure trigger immediate re-verification regardless of the periodic cycle.
References
- FATF Recommendation 10 - Customer Due Diligence https://www.fatf-gafi.org/en/publications/Fatfrecommendations/Fatf-recommendations.html
- Wolfsberg Group AML Principles https://www.wolfsberg-principles.com/
- Joint Money Laundering Steering Group (JMLSG) Guidance, UK https://www.jmlsg.org.uk/